MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aab4d0198e57e6a91a1318310347b8a9d16d7fee076211fcb9dcb5a720a2fc71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	aab4d0198e57e6a91a1318310347b8a9d16d7fee076211fcb9dcb5a720a2fc71
SHA3-384 hash:	9bdd70bedd0854846c51b08997ed7d250596be87d655d859075960c6eed6e699facd8fbe53e60eb453a8db3101941faa
SHA1 hash:	79d95630d6685ebe59bf855be8e40f9dba25e0ff
MD5 hash:	4e729521bcdb0e1a8f3d0699e3b82b12
humanhash:	failed-lake-orange-leopard
File name:	New Case Activated CCMA Case GAJB00138471-21.pdf.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	877'568 bytes
First seen:	2021-02-22 07:31:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:2myaTskBqv6KOtAr7ClNpHaNGIr8tG5KoTkE/T/1Ge/:2Vawcw0hlNpH05r8thoQE/TEo
Threatray	135 similar samples on MalwareBazaar
TLSH	1E159D1E7B84EB63C7075EB68A5359A043F18D27567BE243EDE436EC80B9E451F0B40A
Reporter	abuse_ch
Tags:	AZORult exe

abuse_ch

Malspam distributing unidentified malware:

HELO: faxoshe.com
Sending IP: 199.217.117.132
From: casemngt@ccma.org.za
Subject: New Case Activated: CCMA Case GAJB00138471-21 (GAJB) is Scheduled for 'Arbitration' for Fri 26-February-2021 10:00am
Attachment: New Case Activated CCMA Case GAJB00138471-21.pdf.gz (contains "New Case Activated CCMA Case GAJB00138471-21.pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

280

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/118251/

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Creating a window

Unauthorized injection to a recently created process

Sending a UDP request

Creating a file

Sending an HTTP POST request

Creating a file in the %temp% subdirectories

Deleting a recently created file

Reading critical registry keys

Running batch commands

Creating a process with a hidden window

Launching a process

Stealing user critical data

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Azorult

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/613743

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/aab4d0198e57e6a91a1318310347b8a9d16d7fee076211fcb9dcb5a720a2fc71/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2021-02-22 06:43:55 UTC

AV detection:

8 of 48 (16.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vk2nagmok7tksgqtdayqgr5yvhiw277oa5rbd7fz3s22oifc7ryq._file

Verdict:

malicious

Label(s):

azorult

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult agilenet discovery infostealer spyware trojan

Link:

https://tria.ge/reports/210222-bl583fewg6/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Deletes itself

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Azorult

Unpacked files

SH256 hash:

aab4d0198e57e6a91a1318310347b8a9d16d7fee076211fcb9dcb5a720a2fc71

MD5 hash:

4e729521bcdb0e1a8f3d0699e3b82b12

SHA1 hash:

79d95630d6685ebe59bf855be8e40f9dba25e0ff

Link:

https://www.unpac.me/results/5f95f4ac-00ea-4430-b75f-87b0815f8eba/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

gz f4f39aa4bc0fa5a462a090c08441b78f3591b463608a2a0de268defb709ddd40

AZORult

exe aab4d0198e57e6a91a1318310347b8a9d16d7fee076211fcb9dcb5a720a2fc71

(this sample)

Dropped by

MD5 365fcf90f4a4a3804244393c868eb227

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/118251/

Dropped by

SHA256 f4f39aa4bc0fa5a462a090c08441b78f3591b463608a2a0de268defb709ddd40

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample